The present invention relates to the field of usage rights enforcement and management for digitally encoded documents and data.
The encoding and distributing of audio, video, graphical, and written work in digital formats has become a fundamental part of modern business. However, the ease with which copies may be made that are identical to the original and the speed of distribution enabled by the Internet have caused the owners of such works to adopt technologies that associate and enforce usage rights with digitally encoded data. Examples of those interested in such technologies include: providers of music, movies, or other entertainment content; publishers of electronic newspapers, magazines, or books; and corporations with confidential, proprietary, or otherwise sensitive information. Without loss of generality and for ease of exposition, we will refer to all of these kinds of digitally encoded works as data objects.
Many approaches exist to associate and enforce usage rights with data objects. One common approach is based on technologies that attempt to prevent the unauthorized copying of data objects from the physical media carrying the objects. U.S. Pat. No. 5,513,260 is an example of one such copy protection scheme.
Though copy-protection techniques are appropriate for some domains, the types of usage rights that they can enforce are too coarse grained to be a general solution. For example, the owner of a proprietary and confidential document may wish to have one group of individuals be able to only read a protected document and a different group be allowed to read and write it. Copy-prevention technologies are not powerful enough to describe such usage policies.
More general-purpose approaches exist that protect the data objects so that only authorized users can access and use the objects according to a set of rules specified for each class or group of authorized user. This approach typically relies on encryption technology to guarantee that only authorized users have access to the actual data object. In particular, authorized users are given access to the secret key needed to decrypt the protected object and produce the actual data object. The usage rights typically specify who is authorized to access the secret key and what an authorized user can do with the decrypted data object. This basic approach includes the large body of work in digital rights management (DRM) and related rights management technologies. Though this approach does not prevent copying of the encrypted bits, it achieves the same end result as copy protection since unauthorized users cannot access the protected data objects without the secret key.
To be effective, a rights management system must tightly couple the usage rights to the encrypted data objects so that the usage rights always appear with the associated object. This coupling should make it very difficult and ideally impossible for someone, who is not the owner of the object or otherwise authorized, to separate the data object from its usage rights.
We can group attacks that attempt to separate a data object from its usage rights into two categories. The first category comprises attacks on the combination of the usage rights and encrypted data object. Replacing the usage rights of one file with the usage rights of another is an example of an attack in this category. The second category comprises attacks undertaken while the data object is decrypted and being used by an authorized user. The goal here is to obtain an unprotected copy of the decrypted data object by directly circumventing the usage rights. To be effective, a rights management system must contain mechanisms that protect against both categories of attack.
The second category of attacks highlights the fact that the encrypted data object must eventually be decrypted in order to be accessed by an authorized user. A rights management system may either allow the user to decrypt the data object directly, or it may require the deployment and use of rights-management-aware applications. In many commercial situations, the owner of the protected data object may not want to bother the end user with an explicit encryption and decryption step or may not trust the end user to abide by the usage rights. Thus, the preferred method is to employ rights-management-aware applications that transparently decrypt the data objects for authorized users and enforce the usage rules attached to the objects. Rights-management-aware applications act as trusted agents for the rights management system, enforcing the rules specified by the owners of the protected data objects. Media players that can play music files in encrypted formats are examples of rights-management-aware applications.
The closeness of the coupling and the reliance on trusted application agents constitute the fundamental differences between rights management systems and technologies like encrypting file systems. In an encrypting file system (e.g., Microsoft's EFS, U.S. Pat. No. 6,249,866), usage rights are associated only with the computer structure holding the data object (e.g., a file) and not with the data object itself. Since applications are not aware of the usage rights enforced by an encrypting file system, it is fairly simple for a user, who is authorized to access the object but not to change its usage rights, to save the data object in a manner that does not propagate the rights. In particular, an authorized user of a protected file in an encrypting file system needs only to save the file to a directory outside the encrypting file system to create an unencumbered copy of the protected file.
The use of rights-management-aware applications allows a rights management system to enforce a tight coupling between an encrypted data object and its associated usage rights. Some designers have chosen to implement this tight coupling by storing the usage rights together with the encrypted data object, producing a new data object that is often referred to as a secure container (e.g., see U.S. Pat. No. 6,427,140). In this approach, usage rights are explicitly tied to a particular copy of the protected data object. This approach works well, for example, in commercial markets like online music where the owner of the data object publishes read-only content and simply wants to maintain control over the usage and distribution of the content. We refer to such rights management systems as supporting publish-only distribution models.
A key characteristic of the publish-only distribution model is that the usage rights in the secure container are not expected to change over time. Or if they do change, they change slowly, and the change affects only one end user at a time. To change the usage rights in the publish-only distribution model, the owner must have access to the secure container holding the usage rights. Access to the secure container would enable the rights management system to modify the usage rights stored in the container. If the secure container was not available, the owner can remove the end user's authorization to access the original secure container (e.g., by destroying the decryption key for this container) and re-issue a new secure container to the end user with the same protected data object but new usage rights. This latter approach requires the rights management system to notify the end user of the new secure container, and it requires that the rights management system has a copy of the data object to put into the new secure container.
Though these requirements are not an imposition in a domain like online music, they are a serious impediment to dynamic environments, i.e., ones where the usage rights protecting data objects may change frequently and in possibly significant ways. These requirements are also a serious impediment to distributed environments, where multiple users may have individual copies of a protected data object on diverse computer devices and storage media, some of which may not be online or otherwise accessible to the owner of the protected object. Clearly, it is not possible in such environments for the rights management system to have access to all of the copies of the protected object when the owner wishes to make a change to the usage rights of that protected object. It is also not desirable to re-issue a new protected data object to a group of users, since the change in usage rights may affect only a few users and should be unnoticed (transparent) to the rest. Furthermore, it may not even be possible to re-issue the protected data object in a distributed environment where the owner controls the usage rights but does not have a copy of the latest version of the object.
In a truly collaborative environment, it's often difficult and sometimes impossible to identify a single “publisher” of collaborative material. For corporate data, it is possible however to identify the “owner” of collaborative material produced for the purposes of a corporation's business. The owner is the company that employs the author or authors of the collaborative works. For collaborative environments then, there is a clear need to distinguish between those who produce sensitive material and those that determine the usage rights of the same material.
Authentica has patented a partial solution to the enforcement and management of usage rights for digital data objects in dynamic and distributed environments (U.S. Pat. No. 6,449,721). This approach allows the owner of a digital data object to maintain control over the usage rights even after the protected objects have been distributed to end users. In particular, the approach stores the usage rights of protected objects in a single, central location so that an owner of a protected data object can change the usage rights of that object without requiring simultaneous access to any of the (possibly numerous) copies of the data object. Ideally, this approach allows multiple, distributed copies of the data object to exist while maintaining only a single, authoritative copy of the object's usage rights. Having a single, authoritative copy of the object's usage rights simplifies management of the usage rights.
Authentica's approach creates a unique identifier for each segment of protected information. The Authentica key server maintains an association between unique segment identifiers, the usage rights for those segments, and the encryption keys used to protect and access each segment. To access a protected segment, an end user must authenticate to the server and provide the identifier of the protected segment he or she wishes to access. Assuming that the user is authorized to access the protected segment, the server responds with a decryption key for that segment and the usage rights for that segment and user combination. A rights-management-aware application on the end-user's machine uses the server's response to provide the end user with the owner-designated level of access to the protected segment.
Though an approach like Authentica's allows the owners of protected data objects to control usage of distributed information and dynamically change that usage information without the need to collect or redistribute the protected data objects, it is not a complete solution to the problems associated with the enforcement and management of usage rights in collaborative environments. In particular, a solution for collaborative environments needs to focus on protecting the products of collaboration in a manner that fits naturally into existing collaborative models. For example, in commercial enterprises, collaboration often produces multiple documents all protected by the same usage rights, and thus a truly collaborative solution should allow for the easy grouping of multiple documents under a single set of usage rights. In addition, it is also often expected that derivative works created during collaboration would also be protected by the usage rights of the collaboration and that changes to these rights would coincide with existing processes for moving a work into a new collaborative setting. Finally, all of the current rights management systems, especially those focused on publish-only distribution models, too tightly control the creation, modification, and distribution of protected documents to be appropriate for protecting the data objects comprising collaborative interactions. An appropriate solution should clearly distinguish between the rights held by “authors” and those held by “owners.”